US10356127B2 - Methods and systems for applying security policies in a virtualization environment - Google Patents
Methods and systems for applying security policies in a virtualization environment Download PDFInfo
- Publication number
- US10356127B2 US10356127B2 US15/426,998 US201715426998A US10356127B2 US 10356127 B2 US10356127 B2 US 10356127B2 US 201715426998 A US201715426998 A US 201715426998A US 10356127 B2 US10356127 B2 US 10356127B2
- Authority
- US
- United States
- Prior art keywords
- user
- space
- instances
- instance
- space instances
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/088—Access security using filters or firewalls
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Definitions
- This relates generally to securing computer systems, including but not limited to applying security policies in a virtualization environment.
- Virtualization technology enables the creation of isolated environments for running applications on a host system.
- Some virtualization technologies such as virtual machines, emulate multiple system platforms within a single host system, where each system platform includes a hardware layer and a full operating system environment.
- a plurality of user-space instances is instantiated.
- Each respective user-space instance of the plurality of user-space instances is instantiated within a respective operating system environment, each respective user-space instance having a distinct virtual address space in virtual memory of the respective operating system environment.
- the respective virtual addresses of the user-space instances are distinct from a kernel address space of the virtual memory.
- one or more respective properties that characterize the user-space instances of the plurality of user-space instances are identified.
- one or more clusters of user-space instances are formed from the plurality of user-space instances, where each cluster of the one or more clusters includes a respective set of one or more user-space instances that are characterized by one or more common properties of the one or more identified properties.
- a respective set of security policies are identified that define authorized or unauthorized operations for respective user-space instances in the respective cluster, and authorized or unauthorized data communications sent by and/or received by respective user-space instances in the respective cluster.
- the identified set of security policies is applied for the respective cluster so as to detect and/or remediate violations of the identified set of security policies.
- a plurality of user-space instances is instantiated.
- Each respective user-space instance of the plurality of user-space instances is instantiated within a respective operating system environment, each respective user-space instance having a distinct virtual address space in virtual memory of the respective operating system environment.
- the respective virtual addresses of the user-space instances are distinct from a kernel address space of the virtual memory.
- a security instance distinct from the plurality of user-space instances is instantiated, wherein the security instance is instantiated within the respective operating system environment and is executed in user space of a respective virtual address space in virtual memory of the respective operating system environment.
- the security instance is used to monitor operations for the plurality of user-space instances, and data communications sent by and/or received by the plurality of user-space instances.
- the security instance For each respective user-space instance of the plurality of user-space instances, the security instance applies a respective set of security policies associated with the respective user-space instance to the monitored operations for the respective user-space instance and the monitored data communications sent by and/or received by the respective user-space instance, so as to detect and/or remediate violations of the respective set of security policies.
- FIG. 1A is a block diagram illustrating a distributed system, having an exemplary network architecture, for instantiating and providing security for user-space instances, in accordance with some embodiments.
- FIG. 1B is a block diagram illustrating multiple user-space instances, instantiated within an exemplary computing network, in accordance with some embodiments.
- FIG. 1C is a block diagram illustrating multiple user-space instances, instantiated within virtual machines in an exemplary computing network, in accordance with some embodiments.
- FIGS. 2A-2B illustrate an application of security policies to user-space instances of a computing network, in accordance with some embodiments.
- FIG. 3A is a block diagram illustrating an exemplary computer system, in accordance with some embodiments.
- FIG. 3B illustrates exemplary data structures that store information for clusters, instances, and security policies, in accordance with some embodiments.
- FIGS. 4A-4D are flow diagrams illustrating a method of applying security policies in a virtualization environment, in accordance with some embodiments.
- FIGS. 5A-5C are flow diagrams illustrating a method of applying security policies in a virtualization environment using a security instance, in accordance with some embodiments.
- the various implementations described herein include systems, methods and/or devices used to enable: (i) instantiating a plurality of user-space instances, (ii) identifying respective properties that characterize the user-space instances, (iii) based on the identified properties, identifying respective security policies that define authorized or unauthorized operations and data communications for user-space instances, and (iv) based on the identified properties, applying the identified security policies so as to detect and/or remediate violations of the identified set of security policies.
- some implementations include a method of applying security policies in a virtualization environment.
- the method is performed at an electronic device of a plurality of electronic devices in a computing network, the electronic device having one or more processors and memory storing instructions for execution by the one or more processors.
- the method includes instantiating a plurality of user-space instances. Each respective user-space instance of the plurality of user-space instances is instantiated within a respective operating system environment, each respective user-space instance having a distinct virtual address space in virtual memory of the respective operating system environment.
- the respective virtual address spaces of the user-space instances are distinct from a kernel address space of the virtual memory.
- one or more respective properties that characterize the user-space instances of the plurality of user-space instances are identified.
- one or more clusters of user-space instances are formed from the plurality of user-space instances, wherein each cluster of the one or more clusters includes a respective set of one or more user-space instances that are characterized by one or more common properties of the one or more identified properties.
- a respective set of security policies are identified that define authorized or unauthorized operations for respective user-space instances in the respective cluster, and authorized or unauthorized data communications sent by and/or received by respective user-space instances in the respective cluster.
- the identified set of security policies is applied for the respective cluster so as to detect and/or remediate violations of the identified set of security policies
- instantiating the plurality of user-space instances includes instantiating the plurality of the user-space instances within a first operating system environment of a first virtual machine.
- the method further includes applying a set of system-level security policies, implemented by the respective operating system environment, to operations performed by and communications sent by and/or received by the plurality of user-space instances.
- a first subset of the plurality of user-space instances is instantiated within a first operating system environment of a first virtual machine, and a second subset of the plurality of user-space instances distinct from the first subset is instantiated within a second operating system environment of a second virtual machine distinct from the first virtual machine.
- a first cluster of the one or more formed clusters includes user-space instances from both of the first and second subsets of the plurality of user-space instances.
- the one or more respective properties include at least one of: a user-space instance type, a user-space instance sub-type, a user-space instance version, a user-space instance name, associated access controls for a respective user-space instance, a respective network communication protocol used by a respective user-space instance, and a respective network communications port used for data communications.
- the user-space instance type corresponds to user-space instances that are applications accessible via an external network.
- the user-space instance type corresponds to user-space instances that are database applications.
- the database applications corresponding to the user-space instance type do not have direct access to an external network.
- identifying the one or more respective properties comprises inspecting communications sent by and/or received by the user-space instances of the plurality of user-space instances; and deriving at least some of the one or more respective properties from the inspected communications.
- the inspected communications include data packets, each comprising a respective header portion and a respective data portion. Furthermore, inspecting the communications comprises inspecting at least the data portions of the data packets.
- the inspected communications include data sent by a first user-space instance of the plurality of user-space instances to a second user-space instance of the plurality of user-space instances.
- the first user-space instance is instantiated within a first operating system environment of a first virtual machine
- the second user-space instance is instantiated within a second operating system environment of a second virtual machine distinct from the first virtual machine.
- the inspected communications include data sent by and/or received by a first user-space instance, of the plurality of user-space instances, over an external network to which the computing network is communicably connected.
- identifying the one or more respective properties comprises obtaining meta data specifying at least some of the one or more respective properties.
- applying the identified set of security policies for each respective cluster of the one or more clusters comprises: monitoring the operations for the respective user-space instances in the respective cluster, and/or monitoring the data communications sent by and/or received by the respective user-space instances in the respective cluster; detecting a violation of the identified set of security policies for the respective cluster in the monitored operations and/or the monitored communications; and in response to detecting the violation, remediating the violation.
- detecting the violation includes detecting attempts to access an external network by one or more of the respective user-space instances in the respective cluster that are not authorized to access, or have not previously accessed, the external network.
- detecting the violation includes detecting attempts by a first user-space instance, of the respective user-space instances in the respective cluster, to transmit data managed by a second user-space instance of the plurality of user-space instances to an external network, wherein the first user-space instance is authorized to access the external network, and the second user-space instance is not authorized to access the external network.
- detecting the violation includes detecting attempts to access a first user-space instance, of the respective user-space instances in the respective cluster, wherein the access attempts originate from an external network that is not authorized to access the first user-space instance.
- detecting the violation includes detecting attempts by a first user-space instance, of the respective user-space instances in the respective cluster, to access a second user-space instance of the plurality of user-space instances, wherein the first user-space instance is not authorized to access, or has not previously accessed, the second user-space instance.
- remediating the violation includes generating an alert for the violation.
- remediating the violation includes terminating one or more of the plurality of user-space instances that violated the identified set of security policies for the respective cluster.
- remediating the violation includes modifying access privileges of one or more of the plurality of user-space instances that violated the identified set of security policies for the respective cluster.
- a first cluster includes a first subset and a second subset of user-space instances, and a first set of security policies for the first cluster includes a first subset of security policies that apply to the first subset of user-space instances, and a second subset of security policies that apply to the second subset of user-space instances.
- the first subset and second subset of user-space instances correspond to first and second user-space instance sub-types of a same user-space instance type.
- identifying the one or more respective properties and applying the identified set of security policies are performed by a security-enforcement instance distinct from the plurality of user-space instances.
- a computer system in a computing network includes one or more processors, a communication interface for communicating with other computer systems in the computing network, and memory storing one or more programs for execution by the processor, the one or more programs including instructions for performing the method of any of A1-A26.
- a non-transitory computer readable storage medium stores one or more programs that when executed by one or more processors of a computer system cause the computer system to perform the method of any of A1-A26.
- Some implementations include a method of applying security policies in a virtualization environment.
- the method is performed at an electronic device of a plurality of electronic devices in a computing network, the electronic device having one or more processors and memory storing instructions for execution by the one or more processors.
- the method includes instantiating a plurality of user-space instances. Each respective user-space instance of the plurality of user-space instances is instantiated within a respective operating system environment, each respective user-space instance having a distinct virtual address space in virtual memory of the respective operating system environment.
- the respective virtual address spaces of the user-space instances are distinct from a kernel address space in which operating system processes are performed.
- a security instance (sometimes called a security user-space instance) distinct from the plurality of user-space instances is instantiated, wherein the security instance is instantiated within the respective operating system environment, and has a respective virtual address space in virtual memory of the respective operating system environment.
- the security instance executes in user-space of the respective virtual address space, and is used to monitor operations of the plurality of user-space instances and data communications sent by and/or received by the plurality of user-space instances.
- the security instance For each respective user-space instance of the plurality of user-space instances, the security instance is used to apply a respective set of security policies associated with the respective user-space instance to the monitored operations for the respective user-space instance, and the monitored data communications sent by and/or received by the respective user-space instance, so as to detect and/or remediate violations of the respective set of security policies.
- using the security instance to apply the respective set of security policies comprises, for each respective user-space instance of the plurality of user-space instances: intercepting one or more data communications sent by and/or sent to the respective user-space instance; detecting a violation of the respective set of security policies associated with the respective user-space instance; and in response to detecting the violation, denying transmission of the one or more data communications sent by and/or sent to the respective user-space instance.
- using the security instance to apply the respective set of security policies comprises, for each respective user-space instance of the plurality of user-space instances: detecting a violation of the respective set of security policies associated with the respective user-space instance; and in response to detecting the violation, sending remedial commands to one or more of the plurality of user-space instances that violated the respective set of security policies for the respective user-space instance.
- the method further comprises using the security instance to identify one or more respective properties that characterize the plurality of user-space instances.
- the one or more respective properties are identified at least in part from the data communications sent by and/or received by the plurality of user-space instances.
- the method further comprises, for each respective user-space instance of the plurality of user-space instances: based on the one or more identified properties, using the security instance to identify the respective set of security policies, wherein the respective set of security policies define authorized or unauthorized operations for the respective user-space instance, and authorized or unauthorized data communications sent by and/or received by the respective user-space instance.
- the method further comprises, for each respective user-space instance of the plurality of user-space instances: based on the one or more identified properties, using the security instance to form one or more clusters of user-space instances from the plurality of user-space instances, wherein each cluster of the one or more clusters includes a respective set of one or more user-space instances that are characterized by one or more common properties of the one or more identified properties.
- the method further comprises sending the one or more identified properties to a central module remote from the electronic device.
- the method further comprises receiving, from the central module, the respective set of security policies for each respective user-space instance of the plurality of user-space instances, wherein the respective set of security policies for the respective user-space instance is based on one or more corresponding properties of the one or more identified properties for the respective user-space instance.
- the method further comprises receiving the respective sets of security policies for the plurality of user-space instances from a central module remote from the electronic device.
- the plurality of user-space instances is a first plurality of user-space instances instantiated within a first operating system environment of a first virtual machine; a second plurality of user-space instances distinct from the first plurality of user-space instances is instantiated within a second operating system environment of a second virtual machine distinct from the first virtual machine; and the security instance is a first security instance that is instantiated within the first operating system environment of the first virtual machine.
- the method further comprises instantiating a second security instance within the second operating system environment of the second virtual machine, wherein the second security instance is distinct from the first security instance and the first and second pluralities of user-space instances, and wherein the second security instance is executed in user space of a respective virtual address space in virtual memory of the second operating system environment. Furthermore, the method comprises using the second security instance to monitor operations for the second plurality of user-space instances, and data communications sent by and/or received by the second plurality of user-space instances.
- the method For each respective user-space instance of the second plurality of user-space instances, the method includes using the second security instance to apply a respective set of security policies associated with the respective user-space instance of the second plurality of user-space instances to the monitored operations for the respective user-space instance, and the monitored data communications sent by and/or received by the respective user-space instance of the second plurality of user-space instances, so as to detect and/or remediate violations of the respective set of security policies associated with the respective user-space instance of the second plurality of user-space instances.
- a respective user-space instance of the plurality of user-space instances corresponds to a respective cluster of one or more clusters of user-space instances, the respective cluster including a respective set of user-space instances that are characterized by two or more common properties; and the respective set of security policies for each respective user-space instance is further associated with a corresponding cluster of the one or more clusters of user-space instances.
- Some implementations include a method of applying security policies in a virtualization environment.
- the method is performed at an electronic device of a plurality of electronic devices in a computing network, the electronic device having one or more processors and memory storing instructions for execution by the one or more processors.
- the method includes instantiating a plurality of user-space instances. Each respective user-space instance of the plurality of user-space instances is instantiated within a respective operating system environment, each respective user-space instance having a distinct virtual address space in virtual memory of the respective operating system environment.
- the respective virtual address spaces of the user-space instances are distinct from a kernel address space in which operating system processes are performed.
- Each of the plurality of user-space instances corresponds to a respective cluster of one or more clusters of user-space instances, wherein each of the one or more clusters includes a respective set of one or more user-space instances that are characterized by one or more common properties.
- the method furthermore includes instantiating a security user-space instance distinct from the plurality of user-space instances, wherein the security user-space instance is instantiated within a respective operating system environment and has a respective virtual address space in virtual memory of the respective operating system environment; using the security user-space instance to monitor operations for the plurality of user-space instances, and data communications sent by and/or received by the plurality of user-space instances; and, for each respective cluster of the one or more clusters, using the security user-space instance to apply a respective set of security policies associated with the respective cluster to the monitored operations for respective user-space instances of the respective cluster, and the monitored data communications sent by and/or received by the respective user-space instances of the respective cluster, so as to detect and/or remediate violations of the respective set
- a computer system in a computing network includes one or more processors, a communication interface for communicating with other computer systems in the computing network, and memory storing one or more programs for execution by the processor, the one or more programs including instructions for performing the method of any of B1-B13.
- a non-transitory computer readable storage medium stores one or more programs that when executed by one or more processors of a computer system cause the computer system to perform the method of any of B1-B13.
- first, second, etc. are, in some instances, used herein to describe various elements, these elements should not be limited by these terms. These terms are used only to distinguish one element from another.
- a first user-space instance could be termed a second user-space instance, and, similarly, a second user-space instance could be termed a first user-space instance, without departing from the scope of the various described embodiments.
- the first user-space instance and the second user-space instance are both user-space instances, but they are not the same user-space instance.
- the term “if” is, optionally, construed to mean “when” or “upon” or “in response to determining” or “in response to detecting” or “in accordance with a determination that,” depending on the context.
- the phrase “if it is determined” or “if [a stated condition or event] is detected” is, optionally, construed to mean “upon determining” or “in response to determining” or “upon detecting [the stated condition or event]” or “in response to detecting [the stated condition or event]” or “in accordance with a determination that [a stated condition or event] is detected,” depending on the context.
- exemplary is used in the sense of “serving as an example, instance, or illustration” and not in the sense of “representing the best of its kind.”
- FIG. 1A is a block diagram illustrating a distributed system 100 , using an exemplary network architecture, for instantiating and providing security for user-space instances, in accordance with some embodiments.
- the distributed system 100 includes a number of computer systems 102 (also called “server systems,” or “servers”) 102 - 1 , 102 - 2 , . . . 102 - n communicably connected to an external network 106 (e.g., the Internet, cellular telephone networks, mobile data networks, other wide area networks, metropolitan area networks, etc., or a combination of such networks) by one or more local networks 104 (e.g., local area networks).
- an external network 106 e.g., the Internet, cellular telephone networks, mobile data networks, other wide area networks, metropolitan area networks, etc., or a combination of such networks
- local networks 104 e.g., local area networks
- computer systems 102 implement one or more virtualization techniques to instantiate a plurality of user-space instances (e.g., instances of applications).
- User-space instances provide isolated environments in which underlying applications are run.
- user-space instances provide remote access (e.g., via external networks 106 ) to various services and resources.
- the isolated environments in which user-space instances execute limit the damage (e.g., loss of data, interruption of service, etc.) that an application executing in a respective user-space instance can cause to the computer system in which it is executing, and to other computer systems coupled to the same network.
- the one or more external networks 106 include a public communication network (e.g., the Internet and/or a cellular data network), a private communications network (e.g., a private LAN or leased lines), or a combination of such communication networks.
- the one or more local networks 104 and external networks 106 use the HyperText Transport Protocol (HTTP) and the Transmission Control Protocol/Internet Protocol (TCP/IP) to transmit information between devices or systems.
- HTTP HyperText Transport Protocol
- TCP/IP Transmission Control Protocol/Internet Protocol
- HTTP permits client devices to access various resources and services available via the one or more external networks 106 (e.g., services provided by the computer systems 102 .
- the one or more local networks 104 are, or include, wireless communications channels based on various custom or standard wireless communications protocols (e.g., IEEE 802.11 Wi-Fi), or any other suitable communication protocol, including communication protocols not yet developed as of the filing date of this document.
- at least a portion of the one or more local networks 104 comprise physical interfaces based on wired communications protocols (e.g., Ethernet, USB, etc.).
- wired communications protocols e.g., Ethernet, USB, etc.
- one or more third-party systems, client devices, and/or other electronic devices connect to one or more of the computer systems 102 through external networks 106 in order to access resources or services hosted by the computer systems 102 (e.g., web applications provided by user-space instances).
- a respective third-party system is a single computing device such as a computer server, while in other embodiments, the third-party system is implemented by multiple computing devices working together to perform the actions of a server system (e.g., cloud computing).
- Client devices are computing devices such as smart watches, personal digital assistants, portable media players, smart phones, tablet computers, 2D gaming devices, 3D (e.g., virtual reality) gaming devices, laptop computers, desktop computers, televisions with one or more processors embedded therein or coupled thereto, in-vehicle information systems (e.g., an in-car computer system that provides navigation, entertainment, and/or other information), and/or other appropriate computing devices that can be used to communicate with the one or more computer systems 102 .
- Users employ client devices to access computer systems 102 and to access services provided by computer systems 102 .
- one or more client devices execute web browser applications that can be used to access services provided by one or more of computer systems 102 .
- one or more of the client devices execute software applications that are specific to a service provided by the one or more computer systems 102 (e.g., service “apps” running on smart phones or tablets, such as an iPhone, Android, or Windows smart phone or tablet).
- FIG. 1B is a block diagram illustrating multiple user-space instances instantiated within an exemplary computing network, in accordance with some embodiments.
- FIG. 1B illustrates multiple computer systems 102 (e.g., 102 - 1 , 102 - 2 , . . . 102 - n ) communicably connected via local network 104 (e.g., Local Area Network).
- Each computer system 102 has a respective host operating system 310 (e.g., 310 - 1 , 310 - 2 , . . . 310 - n ) and hardware layer 108 (e.g., 108 - 1 , 108 - 2 , . . .
- Hardware layers 108 include one or more respective processors 302 (e.g., 302 - 1 , 302 - 2 , . . . 302 - n ), memory 306 (e.g., 306 - 1 , 306 - 2 , . . . 306 - n ), and other optional hardware components (e.g., network interfaces, not shown).
- Processors 302 are sometimes called or known as hardware processors, CPUs, microprocessors or the like.
- One or more host applications 344 e.g., 344 - 1 , 344 - 2 , . . . 344 - n ) are executed within each host operating system 310 in some embodiments.
- user-space instances 110 are instantiated within respective host operating systems 310 by a respective instance engine 314 , providing access to various resources and services through their underlying applications.
- user-space instances 110 (e.g., 110 - 1 - 1 , 110 - 1 - 2 , . . . 110 - 1 - m ; 110 - 2 - 1 , 110 - 2 - 2 , . . . 110 - 1 - q ; 110 - 3 - 1 , 110 - 3 - 2 , . . . 110 - 1 - p ) (sometimes referred to as containers, software containers, or application instances) are instantiated using operating-system-level virtualization in which the kernel of a respective host operating system 310 allows the instantiation and management of isolated user-space instances 110 .
- operating-system-level virtualization in which the kernel of a respective host operating system 310 allows the instantiation and management of isolated user-space instances 110 .
- User-space instances 110 run in user space atop the kernel of a respective host operating system 310 , and each user-space instance 110 has an isolated user space such that multiple user-space instances 110 may be run on a given host computer system 102 .
- each user-space instance 110 is allocated a respective portion of system resources (e.g., CPU, memory, block I/O, network, etc.) and respective processes are isolated (e.g., use separate address spaces, often called virtual address spaces, in virtual memory), thereby achieving an isolated view of the operating environment for each user-space instance.
- user-space instances 110 in an operating-system-level virtualization scheme communicate directly with their respective host operating systems 310 via an instance engine 314 in order to access respective processes and system resources allocated to the user-space instances 110 . That is, user-space instances 110 do not emulate separate hardware layers and operating systems within their underlying host operating system 310 , and instead rely on the services provided by the kernel of the host operating system 310 .
- each user-space instance 110 users/groups with varying levels of access (e.g., administrators, limited-access users, etc.), IP addresses, processes, files, file systems, application files, libraries, configuration files, or any combination thereof.
- applications, libraries, or any files for a user-space instance 110 are only compatible with the respective operating system 310 within which the user-space instance 110 is instantiated (e.g., host operating system 310 is a Linux platform, and user-space instance 110 includes application files that are only Linux compatible).
- Instance engines 314 implement a variety of techniques for instantiating and managing user-space instances 110 .
- instance engines 314 employ a variety of techniques for isolating user-space instances 110 processes and allocating system resources to user-space instances 110 .
- user-space instances are isolated by assigning each respective user-space instance a distinct virtual address space in virtual memory of the respective operating system environment (e.g., host operating system 310 ), where the respective virtual address spaces of the user-space instances are distinct from a kernel address space of the virtual memory.
- instance engines 314 perform process isolation to enable processes and operations for one or more underlying applications of a user-space instance 110 to be isolated from those other applications (e.g., host applications 344 ), user-space instances 110 , and operating system processes (e.g., host operating system 310 ) running on a respective computer system 102 .
- applications e.g., host applications 344
- user-space instances 110 e.g., user-space instances 110
- operating system processes e.g., host operating system 310
- process isolation includes features for managing and isolating segments of process trees (e.g., separating process trees into isolated segments for user-space instances), network access (e.g., network interfaces, ports, and/or protocols usable by the user-space instances), inter-process communications (IPC) (e.g., access between applications, user-space instances, and/or OS processes), instance identifier information (e.g., isolating kernel and version identifiers), and file access privileges.
- IPC inter-process communications
- instance identifier information e.g., isolating kernel and version identifiers
- file access privileges e.g., file access privileges.
- a non-limiting example of a process isolation technique is the “namespaces” kernel feature supported by some Linux platforms.
- instance engines 314 perform resource allocation and isolation to allocate a limited portion of available system resources to a given user-space instance 110 (e.g., setting maximum memory allocation for a given user-space instance).
- System resources include hardware resources such as processing bandwidth (e.g., CPU), memory (e.g., RAM, storage, etc.), file/block I/O throughput, and network resources.
- processing bandwidth e.g., CPU
- memory e.g., RAM, storage, etc.
- file/block I/O throughput e.g., file/block I/O throughput
- network resources e.g., a network resources.
- a non-limiting example of a resource isolation technique is the “cgroups” kernel feature supported by some Linux systems.
- properties characterizing user-space instances are stored in one or more data structures (e.g., cluster info table 326 and/or instances info table 328 , FIGS. 3A-3B ).
- Instance engines 314 perform a variety of functions for managing and providing resources to user-space instances 110 .
- instance engines 314 monitor operations (e.g., application processes) and/or data communications (e.g., data sent to and/or from other user-space instances, external networks 106 , etc.) by respective user-space instances 110 .
- Properties of user-space instances may be identified from the monitored operations and data communications (e.g., applying packet inspection techniques).
- identified properties are used to form clusters of user-space instances 110 (e.g., for user-space instances sharing common properties, as described in greater detail elsewhere in this document).
- instance engines 314 are configured to detect and/or remediate violations of the identified sets of security policies.
- security policies are stored in the instance engines 314 as one or more data structures (e.g., policies information table 332 , FIG. 3A ).
- data structures e.g., policies information table 332 , FIG. 3A .
- FIG. 1C is a block diagram illustrating multiple user-space instances instantiated within virtual machines in an exemplary computing network, in accordance with some embodiments.
- FIG. 1C illustrates a computer system 102 having a host operating system 310 and hardware layer 108 , which includes one or more respective processors 320 , memory 306 , and other optional hardware components (e.g., network interfaces, not shown).
- multiple virtual machines 120 e.g., 120 - 1 , 120 - 2 , . . .
- each of the virtual machines 120 are implemented within the computer system 102 by a virtual machine monitor 340 using one or more virtualization techniques, each of the virtual machines 120 emulating a respective guest operating system 112 (e.g., 112 - 1 , 112 - 2 , . . . 112 - r ).
- guest operating system 112 e.g., 112 - 1 , 112 - 2 , . . . 112 - r
- multiple user-space instances 110 may then be instantiated within the operating system environment provided by respective host operating system 310 .
- virtual machines 120 are instantiated using platform virtualization (also referred to as hardware virtualization).
- virtual machine monitor 340 (sometimes referred to as a hypervisor) instantiates and manages the virtual machines 120 .
- each virtual machine 120 includes an emulated hardware layer on top of which a guest operating system 112 is run. Guest operating systems 112 communicate with the underlying host computer system 102 through virtual machine monitor 340 .
- a plurality of different environments supporting different underlying system platforms may be executed on the same physical computer system 102 .
- operating-system-level virtualization according to the various embodiments described in this document
- platform virtualization a single computer system 102 is able to support user-space instances 110 having various platform compatibilities.
- security functionality is provided and managed for user-space instances 110 across distinct virtual machines 120 of one or more computer systems 102 .
- one or more of the instance engines 314 monitor operations performed by the user-space instances 110 , and/or data communications between user-space instances 110 instantiated in distinct virtual machines 120 (e.g., communications between a respective user-space instance 110 on virtual machine 120 and a respective user-space instance 110 on virtual machine 120 ).
- clusters are formed from user-space instances 110 from distinct virtual machines 120 .
- FIGS. 2A-2B illustrate an application of security policies to user-space instances of a computing network, in accordance with some embodiments.
- FIGS. 2A-2B provide a non-limiting example in which security policies are identified and applied to data communications and operations of user-space instances 110 in a computing network.
- Computer systems 102 - 1 and 102 - 2 are communicably connected via local network 104 (e.g., a Local Area Network).
- Computer systems 102 have respective host operating systems 310 (e.g., 310 - 1 and 310 - 1 ) and hardware layers 106 (e.g., 106 - 1 and 106 - 2 , which include one or more respective processors 302 , memory 306 , and other optional hardware components).
- An instance engine 314 (e.g., 314 - 1 and 314 - 2 ) runs on each of the computer systems 102 , instantiating and managing a corresponding set of user-space instances 110 (e.g., user-space instances 110 - 1 - 1 through 110 - 1 - 3 and security instance 336 - 1 are instantiated by instance engine 314 - 1 on computer system 102 - 1 , and user-space instances 110 - 2 - 1 through 110 - 2 - 3 are instantiated by instance engine 314 - 2 on computer system 102 - 2 ).
- user-space instances 110 are instantiated using operating-system-level virtualization (as described with respect to FIGS.
- an optional security controller 338 and security instances 336 are used in addition and/or as alternatives to the instance engine 314 , in order to provide security for the user-space instances 110 , as described in greater detail below.
- User-space instances 110 may be configured to transmit and receive data to and from a variety of sources.
- transmission pathways 200 e.g., 200 - 1 through 200 - 3
- transmission pathways 200 represent possible data communications channels established between user-space instances 110 , and/or between user-space instances 110 and other devices (e.g., devices within or connected to an external network 106 ).
- the illustrated pathways 200 and the entities for which they provide a communication channel are only examples, and in other embodiments, additional or fewer pathways 200 exist between any combination of the user-space instances and optional devices.
- user-space instances 110 transmit and receive data to and from other user-space instances 110 within the same computer system 102 (e.g., via transmission pathway 200 - 1 , user-space instance 110 - 1 - 2 transmits data to and retrieves data from user-space instance 110 - 1 - 2 ).
- user-space instances 110 on one computer system 102 transmit and receive data to and from user-space instances 110 instantiated on one or more other computer systems 102 (e.g., via transmission pathway 200 - 2 , user-space instance 110 - 1 - 3 instantiated on computer system 102 - 1 exchanges data with user-space instance 110 - 2 - 2 instantiated on computer system 102 - 2 ).
- the one or more other computer systems 102 may be within the same local network 104 or a different network (not shown).
- user-space instances 110 transmit and receive data to and from devices, applications, and/or user-space instances 110 from an external network 106 (e.g., via transmission pathway 200 - 3 , client devices in external network 106 access applications provided by user-space instance 110 - 1 - 1 ).
- Data communications of user-space instances 110 across the various transmission pathways 200 are coordinated by one or more components of computer systems 102 .
- a single instance engine 314 manages direct data communications between the user-space instances 110 that it instantiates (e.g., instance engine 314 receives data from user-space instance 110 - 1 - 1 and transmits the received data to user-space instance 110 - 1 - 2 ).
- instance engine 314 coordinates with its host operating system 310 and one or more components of the hardware layer 108 to manage data communications between user-space instances 110 instantiated within different computer systems 102 .
- the instance engine 314 - 1 receives data from user-space instance 110 - 1 - 3 and coordinates with the host operating system 310 - 1 and network interfaces of the hardware layer 108 - 1 to transmit the data to computer system 102 - 2 .
- the instance engine 314 - 2 provides the data to user-space instance 110 - 2 - 2 .
- instance engine 314 coordinates with its host operating system 310 and one or more components of the hardware layer 108 to manage data communications between user-space instances 110 and devices in (or coupled to) an external network 106 . For example, after receiving data from user-space instance 110 - 1 - 1 , the instance engine 314 - 1 coordinates with the host operating system 310 - 1 and network interfaces of the hardware layer 108 - 1 to transmit the data to a device in external network 106 (e.g., a client device accessing a web application provided by the user-space instance 110 - 1 - 1 ).
- a device in external network 106 e.g., a client device accessing a web application provided by the user-space instance 110 - 1 - 1 .
- data transmissions are sometimes encapsulated (e.g., based on a packet format defined by the instance engine 314 ) and tunneled through host operating system 310 and hardware layer 108 , such that the data transmission is undecipherable by host operating system 310 .
- analogous transmission pathways described herein enable data communications between user-space instances 110 within the same virtual machine 120 (e.g., user-space instances 110 - 1 - 1 and 110 - 1 - 2 of virtual machine 120 - 1 , FIG. 1C ), and/or between user-space instances 110 across different virtual machines 120 (e.g., between user-space instance 110 - 1 - 1 of virtual machine 120 - 1 , and user-space instance 110 - 2 - 1 of virtual machine 120 - 2 , FIG. 1C ).
- Authorized operations and data communications for user-space instances 110 are defined by corresponding sets of security policies.
- a security policy defines through which transmission pathways, and/or with which user-space instances, applications, devices, and/or other processes a given user-space instance is permitted to exchange data.
- Security policies applied to a particular user-space instance 110 are identified based on properties that characterize the particular user-space instance 110 (or a cluster to which it belongs), one example of which is a user-space instance type (e.g., database applications).
- properties that characterize the particular user-space instance 110 or a cluster to which it belongs
- a user-space instance type e.g., database applications
- system-level security policies i.e., policies implemented by host operating systems 310
- security controllers 338 operate alone or in conjunction to ensure that operations and data communications of user-space instances 110 in the computing network are compliant with identified security policies.
- security instances 336 are instantiated and configured to perform one or more security functions with respect to the operations and data communications of user-space instances 110 . Because security instances 336 are instantiated by the same instance engines 314 that manage the operations and data communications of the user-space instances 110 , security instances 336 are capable of monitoring, inspecting, and/or applying security policies to the operations and data communications of the user-space instances. As merely an example, security instances 336 are configured to intercept and decline further transmission of data communications between user-space instances 110 in response to detecting violations of applicable security policies.
- security controller 338 is a type of host application executed on top of (i.e., in the operating environment provided by) host operating system 310 .
- Security controller performs one or more security functions in addition to and/or alternatively to security instances 336 .
- security controller 338 is a separate electronic device (e.g., computer system 102 , server system, etc.) communicably coupled to but distinct from the computer systems 102 on which the user-space instances are instantiated.
- security controller 338 interfaces with one or more instance engines 314 across multiple computer systems 102 to obtain information for managing (e.g., maintaining databases) and/or identifying applicable security policies (e.g., based on identified properties of user-space instances 110 obtained from the one or more instance engines 314 ).
- security controller 338 is tasked with performing security functions that are more resource intensive (e.g., demanding higher CPU and memory usage) in comparison the security functions performed by the security instances 336 .
- Security features are not limited to performance by any particular computer system, system component, application, or instance. In other words, many of the security features described herein may be interchangeably performed by security instances 336 , security controllers 338 , and/or instance engines 314 , or a combination thereof.
- FIG. 2B illustrates a map of clusters formed from user-space instances 110 executed in one or more computer systems or a distributed system (e.g., distributed system 100 ), in accordance with some embodiments.
- the cluster map shows clusters formed from the user-space instances 110 in the computer network of FIG. 2A .
- a cluster map provides both a logical grouping of user-space instances 110 into distinct clusters 210 , and the functional relationships between the clusters 210 and their constituent user-space instances 110 .
- the security policies applied to a particular user-space instance 110 are identified, at least in part, based on the cluster to which it belongs. More specifically, according to some embodiments, the one or more common properties of the user-space instances within the corresponding cluster are used to identify a corresponding set of security policies to apply to all or some of the user-space instances of the cluster. In doing so, at least some security policies need not be individually managed for each user-space instance and can be consolidated for user-space instances sharing overlapping properties. Security is therefore more efficiently and effectively applied in computing environments that implement some form of virtualization.
- Clusters 210 are formed based on one or more properties that characterize the user-space instances 110 .
- Properties include, for example, a user-space instance type (e.g., web application, database application, etc.) and predefined access controls (e.g., permitted access to Internet).
- user-space instances 110 are logically grouped into distinct clusters 210 , where the clusters 210 are formed based on at least user-space instance types.
- cluster 210 - 1 is a cluster for web application user-space instances (e.g., 110 - 1 - 1 , 110 - 1 - 3 , and 110 - 2 - 1 )
- cluster 210 - 2 is a cluster for other application user-space instances (e.g., 110 - 1 - 2 and 110 - 2 - 2 )
- cluster 210 - 3 is a cluster for database user-space instances (e.g., 110 - 2 - 3 ).
- At least some of the clusters 210 are also formed based on their predefined access controls. For example, as shown in FIG. 2B , cluster 210 - 1 includes user-space instances 110 that are permitted to access external network 106 .
- properties associated with each of the clusters 210 are then used to identify respective sets of security policies for the clusters 210 (e.g., from one or more predefined tables, such as cluster info table 326 and policies info table 332 , FIGS. 3A and 3B ).
- properties for a cluster 210 are matched against entries of a cluster info table 326 .
- one or more security policies are identified from the matching entry (e.g., one or more index values that point to entries of a policies info table 332 , FIGS. 3A and 3B ).
- the identification of applicable security policies is analogously performed in cases in which clusters 210 are not formed (e.g., one or more properties of user-space instances 110 are identified, and applicable security policies are identified using the cluster info table 326 and the policies info table 332 based on the one or more properties, wherein the cluster info table 326 additionally and/or alternatively includes entries corresponding to individual user-space instances 110 ).
- Each of the identified sets of security policies is then applied to a corresponding cluster 210 so that any violations in monitored operations and/or data communications of user-space instances 110 for the cluster 210 are detected and remediated. Examples of such violations are shown in FIG. 2B .
- user-space instance 110 - 2 - 1 attempts to retrieve data from user-space instance 110 - 2 - 3 , even though such access by any of the user-space instances 110 of cluster 210 - 1 would violate a corresponding set of security policies for cluster 210 - 1 .
- the access attempt by user-space instance 110 - 2 - 1 which violates applicable security policies for cluster 210 - 1 , may, for example, be a result of malicious software having compromised user-space instance 110 - 2 - 1 or user-space instance 110 - 2 - 3 .
- a remedial action is performed to prevent transmission of data from user-space instances of cluster 210 - 3 to user-space instance 110 - 2 - 1 .
- user-space instance 110 - 2 - 1 retrieves unauthorized data from user-space instance 110 - 2 - 3 and attempts to transmit the unauthorized data to an external network 106 via transmission pathway 202 - 2 .
- Transmission pathway 202 - 2 may correspond to transmissions via an unauthorized network port as indicated by corresponding security policies for cluster 210 - 1 .
- the access attempt therefore constitutes a security violation, which may be a result of malicious software that has compromised user-space instance 110 - 2 - 1 .
- a remedial action is performed to deny transmissions of data from user-space instance 110 - 2 - 1 to devices in an external network 106 (e.g., disabling the port through which the transmission attempt was detected).
- transmission pathway 202 - 3 represents an unknown device (not shown) from an external network 106 attempting to access user-space instance 110 - 1 - 2 .
- transmission pathway 202 - 3 represents an unauthorized attempt by the user-space instance 110 - 1 - 2 to access an external network 106 .
- security policies indicate that user-space instances of cluster 210 - 2 are not permitted to access and/or may not be accessed by devices of an external network 106 , as illustrated by user-space instances 110 - 1 - 2 and 110 - 2 - 2 being accessible by and/or having access to only user-space instances within the local network.
- a violation of the corresponding security policies for cluster 210 - 2 is detected and a remedial action is performed to deny access to user-space instances 110 - 1 - 2 and 110 - 2 - 2 by the external network 106 , and/or access to the external network 106 by user-space instances 110 - 1 - 2 and 110 - 2 - 2 .
- FIG. 3A is a block diagram illustrating an exemplary computer system 102 , in accordance with some embodiments.
- the computer system 102 typically includes one or more processing units (processors or cores) 302 , one or more network or other communications interfaces 304 , memory 306 , and one or more communication buses 308 for interconnecting these components.
- the communication buses 308 optionally include circuitry (sometimes called a chipset) that interconnects and controls communications between system components.
- the computer system 102 optionally includes a user interface (not shown).
- the user interface may include a display device and optionally includes inputs such as a keyboard, mouse, trackpad, and/or input buttons.
- the display device includes a touch-sensitive surface, in which case the display is a touch-sensitive display.
- Memory 306 includes high-speed random-access memory, such as DRAM, SRAM, DDR RAM, or other random-access solid-state memory devices; and may include non-volatile memory, such as one or more magnetic disk storage devices, optical disk storage devices, flash memory devices, and/or other non-volatile solid-state storage devices. Memory 306 may optionally include one or more storage devices remotely located from the processor(s) 302 . Memory 306 , or alternately the non-volatile memory device(s) within memory 306 , includes a non-transitory computer-readable storage medium. In some embodiments, memory 306 or the computer-readable storage medium of memory 306 stores the following programs, modules and data structures, or a subset or superset thereof:
- FIG. 3A shows a “computer system”
- FIG. 3 is intended more as functional description of the various features that may be present in a set of computer systems 102 than as a structural schematic of the implementations described herein.
- items shown separately could be combined and some items could be separated.
- some items shown separately in FIG. 3 could be implemented on single computer systems and single items could be implemented by one or more computer systems.
- the actual number of computer systems and how features are allocated among them will vary from one implementation to another, and may depend in part on the amount of data traffic that the system must handle during peak usage periods as well as during average usage periods.
- Each of the above identified elements may be stored in one or more of the previously mentioned memory devices of computer system 102 , and each of the modules or programs corresponds to a set of instructions for performing a function described above.
- the set of instructions can be executed by one or more processors (e.g., the CPUs 302 ).
- the above identified modules or programs i.e., sets of instructions
- memory 306 may store a subset of the modules and data structures identified above.
- memory 306 may store additional modules and data structures not described above.
- FIG. 3B illustrates exemplary data structures that store information for clusters, instances, and security policies, in accordance with some embodiments.
- FIG. 3B illustrates the cluster info table 326 , instances info table 328 , and policies info table 332 stored in memory 306 of computer system 102 , as shown in FIG. 3A .
- Each of the tables includes a plurality of entries, each of which includes one or a plurality of fields.
- entries 350 e.g., 350 - 1 , 350 - 2 , . . . ) of the cluster info table 326 include respective information for clusters of user-space instances 110 .
- Fields 352 of the cluster info table 326 include properties of user-space instances, at least some of which are common to multiple user-space instances of a cluster (or characteristic to one user-space instance of the cluster).
- Properties include, but are not limited to: user-space instance type 352 - 1 (e.g., database applications), a user-space instance sub-type 352 - 2 (e.g., Cassandra databases), a list of user-space instances composing a respective cluster for the entry 352 - 3 (e.g., user-space instances 110 - 1 - 1 , 110 - 1 - 3 , and 110 - 2 - 1 forming cluster 210 - 1 , FIG. 2B ), network communication parameters (e.g., network communications protocol, network communications port, etc.), and a list of security policies (e.g., list of authorized and unauthorized operations and/or data communications, or references to security policies in policies info table 332 ).
- Other user-space instance properties that may be included in the cluster info table 326 are described elsewhere in this document.
- entries 360 e.g., 360 - 1 , 360 - 2 , . . . ) of the instances info table 328 include respective information for particular user-space instances, such as properties 362 - 1 of a particular user-space instance, and corresponding security policies 362 - 2 for the particular user-space instance.
- entries 370 e.g., 370 - 1 , 370 - 2 , . . .
- policies info table 332 correspond to rules defining authorized and unauthorized operations and/or data communications of user-space instances (individually, or of a cluster).
- Security policies may be defined with respect to one or more aspects of user-space instance operations and data communications, such as: operations permissions 372 - 1 (e.g., permissible processes, routines, and/or commands; limits on resource usage; etc.), network access 372 - 2 (e.g., Internet access), instance access 372 - 3 (e.g., accessible user-space instance types/sub-types), and/or remedial policies 372 - 4 (e.g., terminate violating instance).
- operations permissions 372 - 1 e.g., permissible processes, routines, and/or commands; limits on resource usage; etc.
- network access 372 - 2 e.g., Internet access
- instance access 372 - 3 e.g., accessible user-space instance types/sub-types
- remedial policies e.g., terminate violating instance.
- FIGS. 4A-4D are flow diagrams illustrating a method of 400 applying security policies in a virtualization environment, in accordance with some embodiments.
- the method 400 is performed by one or more electronic devices of a computing network (e.g., computer systems 102 , FIGS. 1A-1C, 2A-2B, and 3A-3B ) or one or more components thereof (e.g., security instances 336 , security controller 338 , and/or instance engine 314 , FIG. 2A ).
- a computing network e.g., computer systems 102 , FIGS. 1A-1C, 2A-2B, and 3A-3B
- components thereof e.g., security instances 336 , security controller 338 , and/or instance engine 314 , FIG. 2A
- the methods herein will be described as being performed by an electronic device (e.g., computer system 102 - 1 ).
- method 400 is governed by instructions that are stored in a non-transitory computer readable storage medium and that are executed by one or more processors of an electronic device, such as the one or more processors 302 of computer system 102 , as shown in FIG. 3A .
- An electronic device instantiates ( 402 ) a plurality of user-space instances.
- Each respective user-space instance of the plurality of user-space instances is ( 404 ) instantiated within a respective operating system environment (e.g., user-space instances 110 - 1 - 1 through 110 - 1 - 3 are instantiated within host operating system 310 - 1 of computer system 102 - 1 , FIG. 2A ).
- Each respective user-space instance has a distinct virtual address space in virtual memory of the respective operating system environment.
- the respective virtual address spaces of the user-space instances are ( 404 ) distinct from a kernel address space of the virtual memory.
- instantiating includes ( 408 ) instantiating the plurality of the user-space instances within a first operating system environment of a first virtual machine (e.g., user-space instances 110 - 1 - 1 through 110 - 1 - q instantiated within guest operating system 112 - 1 of virtual machine 120 - 1 , FIG. 1C ).
- a first subset of the plurality of user-space instances is instantiated within a first operating system environment of a first virtual machine (e.g., user-space instances 110 - 1 - 1 through 110 - 1 - q instantiated within guest operating system 112 - 1 of virtual machine 120 - 1 , FIG.
- a second subset of the plurality of user-space instances distinct from the first subset is instantiated within a second operating system environment of a second virtual machine distinct from the first virtual machine (e.g., user-space instances 110 - 2 - 1 through 110 - 2 - q instantiated within guest operating system 112 - 2 of virtual machine 120 - 2 , FIG. 1C ).
- each of the plurality of the user-space instances is instantiated within an operating system environment of a single virtual machine.
- the electronic device e.g., instance engine 314 , FIG. 2A identifies ( 412 ) one or more respective properties that characterize the user-space instances of the plurality of user-space instances.
- the one or more respective properties identified for the user-space instances are used to form clusters of user-space instances and to identify applicable sets of security policies to be applied to operations and data communications of the user-space instances.
- the one or more respective properties include ( 414 ) at least one of: a user-space instance type (e.g., web applications, database applications, etc.), a user-space instance sub-type (e.g., a specific application, such as a Cassandra database), a user-space instance version, a user-space instance name (e.g., instance identifier), associated access controls for a respective user-space instance (e.g., access to or accessible by an external network 106 ), a respective network communication protocol used by a respective user-space instance (e.g., HTTPS), and a respective network communications port used for data communications (e.g., port 443 for HTTPS).
- properties include a compatible operating system for an application of a respective user-space instance (e.g., a particular Linux build, sometimes called a Linux distribution, for a particular application).
- a particular user-space instance type corresponds ( 416 ) to user-space instances that are applications accessible via an external network (e.g., user-space instances 110 - 1 - 1 , 110 - 1 - 3 , and 110 - 2 - 1 corresponding to web applications, FIG. 2B ).
- a particular user-space instance type corresponds ( 418 ) to user-space instances that are database applications (e.g., user-space instance 110 - 2 - 3 , corresponding to a database application, FIG. 2B ).
- the database applications corresponding to the user-space instance type do not have direct access to an external network (e.g., databases are not authorized to access the Internet).
- associated access controls are predefined (e.g., configured by a user prior to or at time of instantiation, defined by default rules associated with respective user-space instance types and/or sub-types, etc.) or not explicitly defined (e.g., no express permission provided or defined).
- Associated access controls include permissions for accessing or being accessible by external networks (e.g., permissions indicating that web application user-space instance 110 is accessible by client devices in an external network 106 , FIG.
- user-space instances e.g., permissions indicating that user-space instances 110 are allowed to access other user-space instances 110 in the same or a different computer system 102 , virtual machine 120 , local network 104 , etc.
- end-users e.g., permissions indicating that specified users or groups of users of client devices are allowed to access services provided by user-space instances 110 ).
- identifying the one or more respective properties includes ( 420 ) inspecting communications sent by and/or received by the user-space instances of the plurality of user-space instances, and ( 426 ) deriving at least some of the one or more respective properties from the inspected communications.
- Any of a variety of techniques may be implemented for inspecting data communications and deriving user-space instance information (e.g., properties).
- the inspected communications include data packets, each comprising a respective header portion and a respective data portion.
- inspecting the communications includes inspecting at least the data portions of the data packets. These embodiments are sometimes referred to as methods for deep packet inspection (DPI).
- DPI deep packet inspection
- the inspected communications include ( 422 ) data sent by a first user-space instance of the plurality of user-space instances to a second user-space instance of the plurality of user-space instances (e.g., data communications exchanged between user-space instances 110 - 1 - 1 and 110 - 1 - 2 via transmission pathway 200 - 1 , FIG. 2A ).
- the first user-space instance is instantiated within a first operating system environment of a first virtual machine
- the second user-space instance is instantiated within a second operating system environment of a second virtual machine distinct from the first virtual machine (e.g., data communications exchanged between user-space instance 110 - 1 - 1 on virtual machine 120 - 1 and user-space instance 110 - 2 - 1 on virtual machine 120 - 2 , FIG. 1C ).
- both the first user-space instance and the second user-space instance are instantiated within a first operating system environment of a first virtual machine.
- the inspected communications include ( 424 ) data sent by and/or received by a first user-space instance, of the plurality of user-space instances, over an external network to which the computing network is communicably connected (e.g., data transmitted by user-space instance 110 - 1 - 1 to a device in external network 106 via transmission pathway 200 - 3 , FIG. 2A ).
- identifying the one or more respective properties includes obtaining meta data specifying at least some of the one or more respective properties.
- Meta data may be obtained from any components of the computer system 102 or its virtualization environment that maintain or store meta data for user-space instances 110 (e.g., instance engine 314 , security instance 336 , security controller 338 , and/or virtual machine monitor 340 ).
- one or more clusters of user-space instances are formed ( 430 ) from the plurality of user-space instances (e.g., clusters 210 - 1 through 210 - 3 in FIG. 2B formed by security controller 338 in FIG. 2A ).
- Each cluster of the one or more clusters includes a respective set of one or more user-space instances that are characterized by one or more common properties of the one or more identified properties (e.g., in FIG. 2B , cluster 210 - 1 includes user-space instances of the same type, namely web applications).
- a first cluster of the one or more formed clusters includes ( 432 ) user-space instances from both of the first and second subsets of the plurality of user-space instances (the first subset including user-space instances instantiated in a first virtual machine, and the second subset including user-space instances instantiated in a second virtual machine) (step 410 , FIG. 4A ).
- a cluster includes user-space instance 110 - 1 - 1 from virtual machine 120 - 1 , and user-space instance 110 - 2 - 1 from virtual machine 120 - 2 .
- a respective set of security policies is identified ( 434 ) for each respective cluster of the one or more clusters based on the one or more identified properties characterizing the user-space instances.
- the respective set of security policies define authorized or unauthorized operations for respective user-space instances in the respective cluster, and authorized or unauthorized data communications sent by and/or received by respective user-space instances in the respective cluster.
- Security policies may be defined with respect to one or more aspects of user-space instance operations (e.g., permissible processes, routines, and/or commands; limits on resource usage; etc.) and/or data communications (e.g., accessible user-space instance types and/or sub-types). Examples of security policies and their application are described elsewhere in this document.
- identifying the respective set of security policies for each respective cluster includes identifying a corresponding entry for the respective cluster in a data structure, wherein the corresponding entry specifies (or alternatively provides a reference to a different source that specifies) the respective set of security policies (e.g., cluster info table 326 and/or policies info table 332 , FIGS. 3A-3B ).
- the corresponding entry specifies (or alternatively provides a reference to a different source that specifies) the respective set of security policies (e.g., cluster info table 326 and/or policies info table 332 , FIGS. 3A-3B ).
- to identify the corresponding entry at least some of the one or more common properties for the respective cluster are matched against one or more fields of the data structure (e.g., finding an entry that matches at least a user-instance type and network communication protocols/ports common to user-space instances for a cluster). An example is described with respect to FIG. 2B .
- respective sets of security policies are identified for each of the plurality of user-space instances based on the one or more identified properties characterizing the user-space instances.
- the forming of clusters is optional for identifying security policies to apply to respective user-space instances.
- respective sets of security policies are identified for only some of the one or more clusters, or for only some of the plurality of user-space instances.
- a first cluster includes a first subset and a second subset of user-space instances
- a first set of security policies for the first cluster includes a first subset of security policies that apply to the first subset of user-space instances, and a second subset of security policies that apply to the second subset of user-space instances.
- different but partially overlapping security policies e.g., different and partially overlapping with respect to authorized operations and/or data communications, and/or remedial actions taken, etc. are applied to different subsets of user-space instances in a cluster.
- the first subset and second subset of user-space instances correspond to first and second user-space instance sub-types of a same user-space instance type (e.g., both subsets of user-space instances correspond to database applications, but different ones).
- application profiles are used such that different sub-types of user-space instances within a given cluster (e.g., specific applications) have respective security policies that are applied in addition (e.g., more stringent policies than those for the cluster) or alternatively to (e.g., as exceptions to policies for the cluster) the security policies of the given cluster.
- the identified set of security policies for the respective cluster is applied ( 436 ) for each respective cluster (or only some) of the one or more clusters, so as to detect and/or remediate violations of the identified set of security policies.
- identifying (step 434 , FIG. 4C ) the one or more respective properties and applying ( 436 ) the identified set of security policies are performed by a user-space security instance (e.g., security instance 336 - 1 , FIG. 2A ) that operates in (i.e., is executed in) user space, but is distinct from the plurality of user-space instances (e.g., instances 110 , FIG. 2A ) that it monitors.
- applying the identified set of security policies includes ( 438 ) monitoring the operations for the respective user-space instances in the respective cluster, and/or monitoring the data communications sent by and/or received by the respective user-space instances in the respective cluster. Furthermore, applying the identified set of security policies includes ( 440 ) detecting a violation of the identified set of security policies for the respective cluster in the monitored operations and/or the monitored communications, and ( 446 ) remediating the violation in response to detecting the violation.
- detecting the violation of the identified set of security policies includes ( 442 ) detecting attempts to access an external network by one or more of the respective user-space instances in the respective cluster that are not authorized to access, or have not previously accessed, the external network (e.g., user-space instances 110 - 1 - 2 and 110 - 2 - 2 attempting to access devices of the external network 106 via transmission pathway 202 - 3 , as described with respect to FIG. 2B ).
- the external network e.g., user-space instances 110 - 1 - 2 and 110 - 2 - 2 attempting to access devices of the external network 106 via transmission pathway 202 - 3 , as described with respect to FIG. 2B ).
- attempts to access the external network are unauthorized with respect to attempts to access particular devices (e.g., devices corresponding to specific addresses, users, etc.), device types (e.g., mobile devices, but not server systems), applications/processes (e.g., specific types of application), and/or devices using particular network parameters (e.g., one or more particular ranges of IP addresses, geographic regions, communication protocols, etc.).
- devices e.g., devices corresponding to specific addresses, users, etc.
- device types e.g., mobile devices, but not server systems
- applications/processes e.g., specific types of application
- particular network parameters e.g., one or more particular ranges of IP addresses, geographic regions, communication protocols, etc.
- detecting the violation of the identified set of security policies includes detecting attempts to access a first user-space instance, of the respective user-space instances in the respective cluster, wherein the access attempts originate from an external network that is not authorized to access the first user-space instance (e.g., attempts by external network 106 to access user-space instance 110 - 1 - 2 via pathway 202 - 3 , as described with respect to FIG. 2B ).
- attempts by the external network to access the first user-space instance are unauthorized with respect to attempts by particular devices (e.g., devices corresponding to specific addresses, users, etc.), device types (e.g., mobile devices, but not server systems), applications/processes (e.g., specific types of application), and/or devices using particular network parameters (e.g., one or more particular ranges of IP addresses, geographic regions, communication protocols, etc.).
- devices e.g., devices corresponding to specific addresses, users, etc.
- device types e.g., mobile devices, but not server systems
- applications/processes e.g., specific types of application
- particular network parameters e.g., one or more particular ranges of IP addresses, geographic regions, communication protocols, etc.
- detecting the violation of the identified set of security policies includes detecting attempts by a first user-space instance, of the respective user-space instances in the respective cluster, to transmit data managed by a second user-space instance of the plurality of user-space instances to an external network.
- the first user-space instance is authorized to access the external network
- the second user-space instance is not authorized to access the external network (e.g., user-space instance 110 - 2 - 1 attempting to transmit, via pathway 202 - 2 and to external network 106 , data retrieved from user-space instance 110 - 2 - 3 , as described with respect to FIG. 2B ).
- detecting the violation of the identified set of security policies includes ( 444 ) detecting attempts by a first user-space instance, of the respective user-space instances in the respective cluster, to access a second user-space instance of the plurality of user-space instances, wherein the first user-space instance is not authorized to access, or has not previously accessed, the second user-space instance (e.g., user-space instance 110 - 2 - 1 attempting to access user-space instance 110 - 2 - 3 via transmission pathway 202 - 1 , as described with respect to FIG. 2B ).
- attempts to access a particular user-space instance are unauthorized with respect to attempts to access particular devices (e.g., specific computer systems), a particular user-space instance (e.g., based on a unique identifier of a user-space instance), user-space instance types/sub-types (e.g., attempts to access confidential databases), network parameters (e.g., user-space instances falling within one or more particular ranges of IP addresses, user-space instances associated with one or more particular geographic regions, etc.), and/or any other properties that characterize a user-space instance (various examples of which are described elsewhere in this document).
- devices e.g., specific computer systems
- a particular user-space instance e.g., based on a unique identifier of a user-space instance
- user-space instance types/sub-types e.g., attempts to access confidential databases
- network parameters e.g., user-space instances falling within one or more particular ranges of IP addresses, user-space instances associated with one or more particular geographic
- detecting the violation of the identified set of security policies includes detecting attempts by one or more of the respective user-space instances to transmit and/or receive data using unauthorized network parameters (e.g., use of modified or unpermitted network parameters, such as communications ports, communications protocol, transmission rates, etc.).
- unauthorized network parameters e.g., use of modified or unpermitted network parameters, such as communications ports, communications protocol, transmission rates, etc.
- detecting the violation of the identified set of security policies includes detecting resource usage by one or more of the respective user-space instances that exceeds allocated resource limits (e.g., usage limits for CPU, memory, network bandwidth, etc.).
- allocated resource limits are defined at the time of instantiation (e.g., during a resource isolation process, described with respect to FIG. 1B ).
- the violation is remediated ( 446 ) (e.g., remediated by instance engines 314 , security instances 336 , etc., FIG. 2A ).
- remediated e.g., remediated by instance engines 314 , security instances 336 , etc., FIG. 2A .
- any variety of remedial actions may be taken.
- the remediation includes generating an alert ( 448 ) for the violation (e.g., alert is generated and presented to an administrator of the computing network).
- the alert provides identifying information of the one or more user-space instances 110 that violated the identified security policies, and optionally includes (e.g., indicates, or enables an administrator/system to select execution of) remedial actions that may be taken.
- the remediation includes terminating one or more of the plurality of user-space instances that violated the identified set of security policies for the respective cluster ( 450 ).
- user-space instance 110 - 2 is terminated for unauthorized attempts to access the external network 106 (e.g., security instance 336 - 1 provides instructions to instance engine 314 - 1 to terminate user-space instance 110 - 2 ).
- User-space instances that violate the identified security policies may be from a corresponding cluster (i.e., cluster associated with the identified security policies) or a different cluster.
- user-space instances that are affected by, but are not the source of, the violation are terminated so as to mitigate the extent to which security is compromised.
- the remediation includes modifying access privileges of one or more of the plurality of user-space instances that violated the identified set of security policies for the respective cluster ( 452 ).
- access privileges for user-space instance 110 - 2 - 1 e.g., permissions and/or network parameters managed by instance engine 314 - 2 /security instance 336 - 2 , FIG.
- security instance 336 provides instructions to instance engine 314 to modify access privileges for a user-space instance, which may include instructions to disconnect the user-space instance from access to external networks 106 , instructions to disable communications with other components of a computer system 102 /virtualization environment, such as communications with other user-space instances 110 , virtual machines 120 , host/guest operating systems, instance engine 314 , etc.).
- a set of system-level security policies is applied to operations performed by and communications sent by and/or received by the plurality of user-space instances.
- the set of system-level security policies is implemented by the respective operating system environment, rather than components of or related to the virtualized environments (e.g., instance engine 314 , security instance 336 , and security controller 338 ). Examples include packet filtering rules for packets sent or received by the electronic device (and/or optional virtual machines).
- FIGS. 5A-5C are flow diagrams illustrating a method of 500 applying security policies in a virtualization environment using a security instance, in accordance with some embodiments.
- the method 500 is performed by one or more electronic devices of a computing network (e.g., computer systems 102 , FIGS. 1A-1C, 2A-2B, and 3A-3B ) or one or more components thereof (e.g., security instance 336 - 1 , security controller 338 , and/or instance engine 314 , FIG. 2A ).
- a computing network e.g., computer systems 102 , FIGS. 1A-1C, 2A-2B, and 3A-3B
- components thereof e.g., security instance 336 - 1 , security controller 338 , and/or instance engine 314 , FIG. 2A
- the methods herein will be described as being performed by an electronic device (e.g., computer system 102 - 1 ).
- method 500 is governed by instructions that are stored in a non-transitory computer readable storage medium and that are executed by one or more processors of an electronic device, such as the one or more processors 302 of computer system 102 , as shown in FIG. 3A .
- An electronic device instantiates ( 502 ) a plurality of user-space instances.
- Each respective user-space instance of the plurality of user-space instances is ( 504 ) instantiated within a respective operating system environment (e.g., user-space instances 110 - 1 - 1 through 110 - 1 - 3 and security instance 336 - 1 are instantiated within host operating system 310 - 1 of computer system 102 - 1 , FIG. 2A ).
- Each respective user-space instance has a distinct virtual address space in virtual memory of the respective operating system environment.
- the respective virtual address spaces of the user-space instances are ( 506 ) distinct from a kernel address space of the virtual memory.
- Instantiating the user-space instances may be performed in accordance with any of the embodiments discussed above with respect to the method 400 ( FIGS. 4A-4D ) and elsewhere in this document.
- a security instance distinct from the plurality of user-space instances is instantiated ( 508 ).
- the security instance is instantiated within the respective operating system environment, has a respective virtual address space in virtual memory of the respective operating system environment, and is executed in user space of the respective virtual address space.
- the security instance is sometimes called a security user-space instance.
- the security instance is a user-space instance of a “security application” or security module.
- security instances 336 - 1 and 336 - 2 are instantiated within the operating system environments provided by their respective host operating systems 310 - 1 and 310 - 2 .
- security instances are instantiated and configured to perform, in user space, one or more security functions with respect to the operations and data communications of user-space instances 110 .
- Security instances provide the advantage of being instantiated by the same instance engines that manage the operations and data communications of user-space instances. As such, security instances, unlike host operating system processes that may not have access to or are not capable of processing the user-space operations and data communications of user-space instances, are equipped to effectively monitor, inspect, and/or apply security policies to the operations and data communications of user-space instances.
- the security instance is used ( 510 ) to monitor operations for the plurality of user-space instances, and data communications sent by and/or received by the plurality of user-space instances.
- the security instance 336 - 1 is configured to monitor operations and data communications of user-space instance 110 - 1 - 1 through 110 - 1 - 3 by interfacing with the instance engine 314 - 1 . Monitoring may be performed in accordance with any of the embodiments discussed above with respect to the method 400 ( FIGS. 4A-4D ) and elsewhere in this document.
- the electronic device uses ( 512 ) the security instance to identify one or more respective properties that characterize the plurality of user-space instances (e.g., user-space instance type/sub-type, associated access controls, network parameters, etc.).
- the security instance uses ( 512 ) the security instance to identify one or more respective properties that characterize the plurality of user-space instances (e.g., user-space instance type/sub-type, associated access controls, network parameters, etc.).
- user-space instance properties are described with respect to the method 400 ( FIGS. 4A-4D ) and elsewhere in this document.
- the one or more respective properties are identified ( 514 ) (e.g., by security instance 336 ) at least in part from the data communications sent by and/or received by the plurality of user-space instances (e.g., data communications between user-space instances 110 ). Identifying user-space instance properties may be performed in accordance with any of the embodiments discussed above with respect to the method 400 ( FIGS. 4A-4D ) and elsewhere in this document (e.g., deriving properties from inspected data communications, obtaining meta data specifying one or more properties, etc.).
- the security instance is used ( 516 ) to identify a respective set of security policies for each respective user-space instance of the plurality of user-space instances.
- the respective set of security policies define authorized or unauthorized operations for the respective user-space instance, and authorized or unauthorized data communications sent by and/or received by the respective user-space instance.
- Various examples of security policies are described in detail with respect to the method 400 ( FIGS. 4A-4D ) and elsewhere in this document.
- the user-space instance sends ( 518 ) the one or more identified properties to a central module (e.g., security controller 338 ) remote from the first electronic device.
- a central module e.g., security controller 338
- the central module is a type of host application executed within a host operating system 310 that performs one or more security functions in addition and/or alternatively to security instances 336 .
- the central module is a module that is executed by a separate electronic device communicably coupled to but distinct from the computer systems 102 on which user-space instances are instantiated.
- the central module e.g., security controller 338
- the security instance receives ( 520 ), from the central module, the respective set of security policies for each respective user-space instance of the plurality of user-space instances.
- the respective set of security policies for the respective user-space instance is based on one or more corresponding properties of the one or more identified properties for the respective user-space instance.
- identifying sets of security policies may be performed in accordance with any of the embodiments discussed above with respect to the method 400 ( FIGS. 4A-4D ) and elsewhere in this document (e.g., identifying security policies from corresponding entries in a managed data structure).
- the security instance is used ( 522 ) to form one or more clusters of user-space instances from the plurality of user-space instances for each respective user-space instance of the plurality of user-space instances.
- Each cluster of the one or more clusters includes a respective set of one or more user-space instances that are characterized by one or more common properties of the one or more identified properties.
- the central module is additionally and/or alternatively used to form the one or more clusters of user-space instances from the plurality of user-space instances (after it receives the one or more identified properties from the security instance).
- forming clusters may be performed in accordance with any of the embodiments discussed above with respect to the method 400 ( FIGS. 4A-4D ) and elsewhere in this document (e.g., forming clusters based on one or more common properties, clusters including user-space instances from the same or different computer system 102 , virtual machines 120 , etc.).
- security policies identified for user-space instances also apply to their corresponding clusters. That is, in some implementations, a respective user-space instance of the plurality of user-space instances corresponds to a respective cluster of one or more clusters of user-space instances, the respective cluster including a respective set of user-space instances that are characterized by two or more common properties. The respective set of security policies for each respective user-space instance is further associated with a corresponding cluster of the one or more clusters of user-space instances.
- the respective sets of security policies for the plurality of user-space instances are received ( 524 ) from the central module remote from the first electronic device (rather than using the security instance to identify the respective sets of security policies).
- the security instance For each respective user-space instance of the plurality of user-space instances, the security instance is used ( 526 ) to apply the respective set of security policies associated with the respective user-space instance to the monitored operations for the respective user-space instance, and the monitored data communications sent by and/or received by the respective user-space instance, so as to detect and/or remediate violations of the respective set of security policies. Applying sets of security policies may be performed in accordance with any of the embodiments discussed above with respect to the method 400 ( FIGS. 4A-4D ) and elsewhere in this document.
- the security instance is configured as an in-line module that intercepts incoming or outgoing data traffic for the user-space instances. That is, in some implementations, the security instance intercepts ( 528 ) one or more data communications sent by and/or sent to the respective user-space instance. The security instance then detects ( 530 ) a violation of the respective set of security policies associated with the respective user-space instance, and in response to detecting the violation, denies ( 532 ) transmission of the one or more data communications sent by and/or sent to the respective user-space instance (e.g., data packet is dropped).
- the security instance is configured as a module that sends remedial commands to be executed.
- the security instance detects ( 530 ) a violation of the respective set of security policies associated with the respective user-space instance.
- the security instance sends ( 534 ) remedial commands to one or more of the plurality of user-space instances that violated the respective set of security policies for the respective user-space instance (e.g., commands for terminating the compromised user-space instances, closing a network communications port, modify access controls, etc.).
- remedial actions and commands are described with respect to the method 400 ( FIGS. 4A-4D ) and elsewhere in this document.
- the security instance is configured as a listening module that monitors incoming or outgoing data traffic for the user-space instances and detects violations. That is, in some implementations, the security instance monitors one or more data communications sent by and/or sent to the respective user-space instance. The security instance then detects a violation of the respective set of security policies associated with the respective user-space instance. An indication of the detected violation is transmitted to a different component of the computing network (e.g., instance engine 314 , security controller 338 , another computing system 102 ), where the indication is then used to determine a corresponding remedial action to be performed.
- a listening module that monitors incoming or outgoing data traffic for the user-space instances and detects violations. That is, in some implementations, the security instance monitors one or more data communications sent by and/or sent to the respective user-space instance. The security instance then detects a violation of the respective set of security policies associated with the respective user-space instance. An indication of the detected violation is transmitted to a different component of the computing network (e.g
- the plurality of user-space instances is a first plurality of user-space instances instantiated within a first operating system environment of a first virtual machine.
- a second plurality of user-space instances distinct from the first plurality of user-space instances is instantiated within a second operating system environment of a second virtual machine distinct from the first virtual machine.
- a second security instance is instantiated within the second operating system environment of the second virtual machine, wherein the second security instance is distinct from a first security instance instantiated within the first operating system environment, and is also distinct from the first and second pluralities of user-space instances.
- the second security instance has a respective virtual address space in virtual memory of the second operating system environment, and is executed in user space of that respective virtual address space.
- the second security instance is used to monitor operations for the second plurality of user-space instances, and data communications sent by and/or received by the second plurality of user-space instances.
- the second security user-space instance is used to apply a respective set of security policies associated with the respective user-space instance of the second plurality of user-space instances to the monitored operations for the respective user-space instance, and the monitored data communications sent by and/or received by the respective user-space instance of the second plurality of user-space instances, so as to detect and/or remediate violations of the respective set of security policies associated with the respective user-space instance of the second plurality of user-space instances.
- the users may be provided with an opportunity to opt in/out of programs or features that may collect personal information (e.g., information about a user's preferences or a user's contributions to social content providers).
- personal information e.g., information about a user's preferences or a user's contributions to social content providers.
- certain data may be anonymized in one or more ways before it is stored or used, so that personally identifiable information is removed.
- a user's identity may be anonymized so that the personally identifiable information cannot be determined for or associated with the user, and so that user preferences or user interactions are generalized (for example, generalized based on user demographics) rather than associated with a particular user.
- the method 400 FIGS. 4A-4D
- FIGS. 4A-4D may be analogously performed in accordance with any of the embodiments described with respect to the method 500 ( FIGS. 5A-5C ), and vice versa.
- stages which are not order dependent may be reordered and other stages may be combined or broken out. While some reordering or other groupings are specifically mentioned, others will be apparent to those of ordinary skill in the art, so the ordering and groupings presented herein are not an exhaustive list of alternatives. Moreover, it should be recognized that the stages could be implemented in hardware, firmware, software or any combination thereof.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Stored Programmes (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
-
- an
operating system 310 that includes procedures for handling various basic system services and for performing hardware dependent tasks; - a
network communication module 312 that is used for connecting thecomputer system 102 to other computer systems or devices via one or more communication network interfaces 304 (wired or wireless) and one or more communication networks (e.g.,local networks 104,external networks 106, etc.) - an
instance engine 314 for instantiating, managing, and providing security for user-space instances 110, which includes:- a
monitoring module 316 for monitoring activity of user-space instances 110, which includes:- a
data traffic module 318 for monitoring data communications to and from user-space instances 110; and - an
operations module 320 for processes and operations of user-space instances 110;
- a
- a property identification module 322 for identifying and storing properties that characterize user-space instances 110 (e.g., user-space instance type/sub-type, access controls, network parameters, etc.)
- a cluster module 324 for forming clusters from user-space instances 110 (e.g., based on common properties), which includes:
- a cluster info table 326 for storing entries of cluster information (e.g., properties of clusters/constituent user-space instances, corresponding sets of security policies, etc.);
- an instances info table 328 for storing entries of user-space instance information (e.g., properties of particular user-space instances, corresponding sets of security policies for particular user-space instances, etc.);
- a
security policy module 330 for identifying (e.g., based on identified properties), maintaining, and (optionally) applying security policies for operations and/or data communications of user-space instances, which includes:- a policies info table 332 for storing sets of security policies (e.g., authorized/unauthorized operations and/or data communications, remedial actions, etc.);
- one or more user-space instance applications 334, which include application files, configuration data, and other information for instantiating user-space instances 110;
- a
security instance 336, sometimes called a security user-space instance, for performing one or more functions with respect to user-space instance security (e.g., applying identified security policies to operations and/or data communications of user-space instances 110);
- a
- a (optional)
security controller 338 for performing one or more functions with respect to user-space instance security (e.g., consolidating data received fromother instance engines 314,security instances 336, etc.; using consolidated data to form clusters, identify security policies, apply security policies, etc.); - a (optional) virtual machine monitor 340 for virtualizing and managing virtual machines 120 (
FIG. 1C ); and - one or
more application modules 342, which include:-
host application modules 344 for performing various functions of the computer system 102 (e.g., applications for word processing, calendaring, mapping, weather, stocks, time keeping, virtual digital assistant, presenting, number crunching (spreadsheets), drawing, instant messaging, e-mail, telephony, video conferencing, photo management, video management, a digital music player, a digital video player, 2D gaming, 3D (e.g., virtual reality) gaming, electronic book reader, etc.).
-
- an
Claims (32)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/426,998 US10356127B2 (en) | 2016-06-06 | 2017-02-07 | Methods and systems for applying security policies in a virtualization environment |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201662346384P | 2016-06-06 | 2016-06-06 | |
US201662346380P | 2016-06-06 | 2016-06-06 | |
US15/426,998 US10356127B2 (en) | 2016-06-06 | 2017-02-07 | Methods and systems for applying security policies in a virtualization environment |
Publications (2)
Publication Number | Publication Date |
---|---|
US20170353498A1 US20170353498A1 (en) | 2017-12-07 |
US10356127B2 true US10356127B2 (en) | 2019-07-16 |
Family
ID=60482844
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/427,004 Active 2037-06-25 US10341387B2 (en) | 2016-06-06 | 2017-02-07 | Methods and systems for applying security policies in a virtualization environment using a security instance |
US15/426,998 Active 2037-06-28 US10356127B2 (en) | 2016-06-06 | 2017-02-07 | Methods and systems for applying security policies in a virtualization environment |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/427,004 Active 2037-06-25 US10341387B2 (en) | 2016-06-06 | 2017-02-07 | Methods and systems for applying security policies in a virtualization environment using a security instance |
Country Status (1)
Country | Link |
---|---|
US (2) | US10341387B2 (en) |
Families Citing this family (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9825982B1 (en) * | 2016-04-29 | 2017-11-21 | Ciena Corporation | System and method for monitoring network vulnerabilities |
US10375121B2 (en) * | 2016-06-23 | 2019-08-06 | Vmware, Inc. | Micro-segmentation in virtualized computing environments |
US20180287999A1 (en) * | 2017-03-31 | 2018-10-04 | Fortinet, Inc. | Per-application micro-firewall images executing in containers on a data communications network |
US10977361B2 (en) * | 2017-05-16 | 2021-04-13 | Beyondtrust Software, Inc. | Systems and methods for controlling privileged operations |
US10505967B1 (en) * | 2017-06-28 | 2019-12-10 | Armis Security Ltd. | Sensor-based wireless network vulnerability detection |
US10498758B1 (en) * | 2017-06-28 | 2019-12-03 | Armis Security Ltd. | Network sensor and method thereof for wireless network vulnerability detection |
US11792307B2 (en) | 2018-03-28 | 2023-10-17 | Apple Inc. | Methods and apparatus for single entity buffer pool management |
KR102059808B1 (en) * | 2018-06-11 | 2019-12-27 | 주식회사 티맥스오에스 | Container-based integrated management system |
US11134059B2 (en) | 2018-12-04 | 2021-09-28 | Cisco Technology, Inc. | Micro-firewalls in a microservice mesh environment |
US11228563B2 (en) | 2018-12-18 | 2022-01-18 | Citrix Systems, Inc. | Providing micro firewall logic to a mobile application |
US20200364001A1 (en) * | 2019-05-15 | 2020-11-19 | Vmware, Inc. | Identical workloads clustering in virtualized computing environments for security services |
US11093657B2 (en) * | 2019-05-19 | 2021-08-17 | International Business Machines Corporation | Limited execution environment for monolithic kernel |
WO2021002010A1 (en) * | 2019-07-04 | 2021-01-07 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | Illegal frame detection device and illegal frame detection method |
US11893423B2 (en) * | 2019-09-05 | 2024-02-06 | Nvidia Corporation | Techniques for configuring a processor to function as multiple, separate processors |
US11663036B2 (en) | 2019-09-05 | 2023-05-30 | Nvidia Corporation | Techniques for configuring a processor to function as multiple, separate processors |
US11829303B2 (en) | 2019-09-26 | 2023-11-28 | Apple Inc. | Methods and apparatus for device driver operation in non-kernel space |
US11558348B2 (en) | 2019-09-26 | 2023-01-17 | Apple Inc. | Methods and apparatus for emerging use case support in user space networking |
FR3110726A1 (en) * | 2020-05-20 | 2021-11-26 | Orange | Method for securing a system call, method for implementing an associated security policy and devices implementing these methods. |
US11606302B2 (en) | 2020-06-12 | 2023-03-14 | Apple Inc. | Methods and apparatus for flow-based batching and processing |
US11775359B2 (en) | 2020-09-11 | 2023-10-03 | Apple Inc. | Methods and apparatuses for cross-layer processing |
US11954540B2 (en) | 2020-09-14 | 2024-04-09 | Apple Inc. | Methods and apparatus for thread-level execution in non-kernel space |
US11799986B2 (en) | 2020-09-22 | 2023-10-24 | Apple Inc. | Methods and apparatus for thread level execution in non-kernel space |
US11882051B2 (en) | 2021-07-26 | 2024-01-23 | Apple Inc. | Systems and methods for managing transmission control protocol (TCP) acknowledgements |
US11876719B2 (en) | 2021-07-26 | 2024-01-16 | Apple Inc. | Systems and methods for managing transmission control protocol (TCP) acknowledgements |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5560013A (en) | 1994-12-06 | 1996-09-24 | International Business Machines Corporation | Method of using a target processor to execute programs of a source architecture that uses multiple address spaces |
US6205528B1 (en) * | 1997-08-29 | 2001-03-20 | International Business Machines Corporation | User specifiable allocation of memory for processes in a multiprocessor computer having a non-uniform memory architecture |
US20060053216A1 (en) * | 2004-09-07 | 2006-03-09 | Metamachinix, Inc. | Clustered computer system with centralized administration |
US20070078913A1 (en) * | 1999-07-14 | 2007-04-05 | Commvault Systems, Inc. | Modular backup and retrieval system used in conjunction with a storage area network |
US20070180257A1 (en) * | 2004-02-24 | 2007-08-02 | Steve Bae | Application-based access control system and method using virtual disk |
US20080229041A1 (en) * | 2004-11-25 | 2008-09-18 | Softcamp Co., Ltd. | Electrical Transmission System in Secret Environment Between Virtual Disks and Electrical Transmission Method Thereof |
US7484245B1 (en) * | 1999-10-01 | 2009-01-27 | Gigatrust | System and method for providing data security |
US7739498B2 (en) * | 2002-01-15 | 2010-06-15 | GlobalFoundries, Inc. | Method and apparatus for multi-table accessing of input/output devices using target security |
US8166474B1 (en) * | 2005-09-19 | 2012-04-24 | Vmware, Inc. | System and methods for implementing network traffic management for virtual and physical machines |
US8775534B2 (en) | 2008-10-17 | 2014-07-08 | Philippe Laval | Method and system for e-mail enhancement |
-
2017
- 2017-02-07 US US15/427,004 patent/US10341387B2/en active Active
- 2017-02-07 US US15/426,998 patent/US10356127B2/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5560013A (en) | 1994-12-06 | 1996-09-24 | International Business Machines Corporation | Method of using a target processor to execute programs of a source architecture that uses multiple address spaces |
US6205528B1 (en) * | 1997-08-29 | 2001-03-20 | International Business Machines Corporation | User specifiable allocation of memory for processes in a multiprocessor computer having a non-uniform memory architecture |
US20070078913A1 (en) * | 1999-07-14 | 2007-04-05 | Commvault Systems, Inc. | Modular backup and retrieval system used in conjunction with a storage area network |
US7484245B1 (en) * | 1999-10-01 | 2009-01-27 | Gigatrust | System and method for providing data security |
US7739498B2 (en) * | 2002-01-15 | 2010-06-15 | GlobalFoundries, Inc. | Method and apparatus for multi-table accessing of input/output devices using target security |
US20070180257A1 (en) * | 2004-02-24 | 2007-08-02 | Steve Bae | Application-based access control system and method using virtual disk |
US20060053216A1 (en) * | 2004-09-07 | 2006-03-09 | Metamachinix, Inc. | Clustered computer system with centralized administration |
US20080229041A1 (en) * | 2004-11-25 | 2008-09-18 | Softcamp Co., Ltd. | Electrical Transmission System in Secret Environment Between Virtual Disks and Electrical Transmission Method Thereof |
US7840750B2 (en) * | 2004-11-25 | 2010-11-23 | Softcamp Co., Ltd. | Electrical transmission system in secret environment between virtual disks and electrical transmission method thereof |
US8166474B1 (en) * | 2005-09-19 | 2012-04-24 | Vmware, Inc. | System and methods for implementing network traffic management for virtual and physical machines |
US8775534B2 (en) | 2008-10-17 | 2014-07-08 | Philippe Laval | Method and system for e-mail enhancement |
Non-Patent Citations (1)
Title |
---|
Huang, Office Action, U.S. Appl. No. 15/427,004, dated Nov. 2, 2018, 16 pgs. |
Also Published As
Publication number | Publication date |
---|---|
US10341387B2 (en) | 2019-07-02 |
US20170353499A1 (en) | 2017-12-07 |
US20170353498A1 (en) | 2017-12-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10356127B2 (en) | Methods and systems for applying security policies in a virtualization environment | |
US11290488B2 (en) | Distribution and management of services in virtual environments | |
US11652852B2 (en) | Intrusion detection and mitigation in data processing | |
US10375111B2 (en) | Anonymous containers | |
RU2755880C2 (en) | Hardware virtualized isolation for ensuring security | |
AU2015374078B2 (en) | Systems and methods for automatically applying firewall policies within data center applications | |
CN107046530B (en) | Coordination management system for heterogeneous agile information technology environment | |
KR101535502B1 (en) | System and method for controlling virtual network including security function | |
US9116768B1 (en) | Systems and methods for deploying applications included in application containers | |
US9407664B1 (en) | Systems and methods for enforcing enterprise data access control policies in cloud computing environments | |
US10102019B2 (en) | Analyzing network traffic for layer-specific corrective actions in a cloud computing environment | |
US20210185093A1 (en) | Fine grained network security | |
EP3994595B1 (en) | Execution environment and gatekeeper arrangement | |
EP2929483A1 (en) | Method and apparatus for secure storage segmentation based on security context in a virtual environment | |
US9147066B1 (en) | Systems and methods for providing controls for application behavior | |
US20220129541A1 (en) | Containers system auditing through system call emulation | |
US9300691B1 (en) | Systems and methods for enforcing secure network segmentation for sensitive workloads | |
US12067111B2 (en) | Liveness guarantees in secure enclaves using health tickets | |
Song et al. | App’s auto-login function security testing via android os-level virtualization | |
US10614211B2 (en) | Bringing a non-isolated application into an isolation layer with an isolated application | |
US20230259349A1 (en) | Systems and methods for generating application policies | |
US20240205232A1 (en) | Remote access control using validation of physical location of remote user | |
Kulkarni et al. | Survey on Smartphone Virtualization Techniques |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: NEUVECTOR, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HUANG, FEI;DUAN, GANG;REEL/FRAME:041389/0071 Effective date: 20170206 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: AWAITING TC RESP, ISSUE FEE PAYMENT VERIFIED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
CC | Certificate of correction | ||
AS | Assignment |
Owner name: NEUVECTOR, LLC, CALIFORNIA Free format text: CONVERSION AND CHANGE OF NAME (INC TO LLC);ASSIGNOR:NEUVECTOR, INC.;REEL/FRAME:060991/0522 Effective date: 20220510 Owner name: SUSE LLC, UTAH Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NEUVECTOR, LLC;REEL/FRAME:060655/0894 Effective date: 20220515 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |